System architecture and method for guaranteeing network information security

ABSTRACT

Disclosed is a system architecture and method for guaranteeing network information security, the system architecture including the Internet, a program fragmentation processing unit and an authentication unit. The method includes: acquiring a first set and a second set of 13-bit decimal data, judging whether the data is in line with EAN13 and serial number coding principles, if yes, encrypting the two sets of data, to generate a third set of data, obtaining three sets of data codes and using them as new IP addresses, upon program fragmentation processing on the new IP addresses, an authentication center decrypting the three sets of data, if a computation result is “0”, transmitting information to a target user, that is, an interviewee, after encryption of the three sets of data, and storing three sets of data codes divided into three lines, used for network addressing.

FIELD OF INVENTION

The present invention relates to applications of commercial passwordtechnologies in guaranteeing network information security, which are adigital password authentication system and method that can guaranteenetwork information security.

BACKGROUND

The Internet is an international computer network formed by a wide areanetwork, a local area network and a single machine according to acertain communication protocol. The Internet is a result of linking twocomputers or more than two computer terminals, clients and serversthrough means of computer information technologies.

With more and more frequent network attack events, securityvulnerabilities have made user security and protection measures become adisturbing focus, wherein even large well-known users with securityawareness face the same issue, and the network information securityissue has become one of the important issues to be solved by theinformation society. Therefore, ensuring safety protection will be anecessary IT demand, instead of only owning the equipment. The securityvulnerabilities cross various industries, and extend to access,infrastructure and applications; which may occur on fixed and mobilenetworks, and damage users' entity, intellectual property and financialcapital. Any downtime caused by network vulnerability may bring aboutfrustrating effects on customers' experience and users' brandreputation, and finally affect service benefit and sustainability.

A password technology is one of the important means of protectingnetwork information security. The password technology has been inexistence since ancient times, and so far, has gone from the diplomaticand military field to the public. It not only has an informationencryption function that ensures information confidentiality, but alsohas functions such as digital signature, identity authentication andsystem security. Therefore, using the password technology not only canensure information confidentiality, but also can ensure informationintegrity and certainty, and prevent information from being tampered,counterfeited and faked.

SUMMARY OF THE INVENTION

An objective of the present invention is to provide an architecture andmethod that encrypt, identify and protect network information withrespect to the shortcomings of the prior art, which has express parts aswell as password parts, both of which are easy to identify for visitorsand users, and not easy to counterfeit and fake.

The objective of the present invention can be achieved through thefollowing technical solutions:

A system architecture for guaranteeing network information security,includes the Internet, that is, an international computer network formedby a wide area network, a local area network and a single machineaccording to a certain communication protocol, wherein the systemfurther includes:

a program fragmentation processing unit used for performing programfragmentation processing on data; and

an authentication unit used for performing encryption and decryptioncomputations on the data.

A system method for guaranteeing network information security, whereinthe method includes:

(1) acquiring a first set and a second set of 13-bit decimal data to beprocessed by a computer;

(2) the computer judging whether the first set of data is in line withan internationally agreed EAN13 coding principle, if yes, the backgroundmaking the data correspond to an IPV4 address of a user, and if no,prompting an error;

(3) the computer judging whether the second set of data is in line witha serial number coding principle, if yes, performing the next step, andif no, prompting an error;

(4) the computer encrypting the first set of data in line with the EAN13coding principle and the second set of data in line with the serialnumber coding principle through a commercial password algorithm, togenerate a 13-bit decimal authentication code, that is, a third set ofdata;

(5) the computer dividing the first set of data, the second set of dataand the third set of data into three lines, that is, three sets of datacodes are obtained, and using them as new IP addresses of the user;

(6) a visitor transmitting information containing the new IP addressesof the user to a program fragmentation processing unit of a computersystem, that is, CN39-313 which performs program fragmentationprocessing on the data and divides the data into three segments, eachsegment being a 13-bit decimal number, that is, 52-bit binary number;

(7) the computer transmitting the three sets of data to anauthentication center which decrypts the three sets of data, if acomputation result is “0”, transmitting information to a target user,that is, an interviewee, after encryption of the three sets of data, andif the computation result is “1”, abandoning transmission; and

(8) the computer storing three sets of data codes divided into threelines, used for network addressing.

According to the system method for guaranteeing network informationsecurity, the coding principle of the second set of data, that is, theserial number coding principle, is that positions 1-4 are 4-bit yearcodes, positions 5-6 are 2-bit month codes, positions 7-8 are 2-bit datecodes, and positions 9-13 are 5-bit serial number codes of the date.

According to the system method for guaranteeing network informationsecurity, after the authentication code is obtained, the authenticationcode is decrypted through the commercial password algorithm, and thefirst set and the second set of 13-bit decimal data can be obtained.

According to the system method for guaranteeing network informationsecurity, the computer divides the first set of data, the second set ofdata and the third set of data into three lines and then stores the datain a manner of storing the first set of data, the second set of data andthe third set of data in three lines.

According to the system method for guaranteeing network informationsecurity, in product logo printing, the computer divides the first setof data, the second set of data and the third set of data into threelines and then stores the data in a manner of storing and printing thefirst set of data, the second set of data and the third set of data inthree lines, a lower line, an upper line and a middle line.

Technical advantages of the present invention are as follows: thedesigned method for guaranteeing network information security hasexpress parts as well as password parts, both of which are easy toidentify for visitors and users, not easy to counterfeit and fake, havehigh security, and can completely shield transmission of irrelevantinformation, and have greater address space and a smaller routing table.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a system architecture;

FIG. 2 is a schematic diagram of three sets of data codes;

FIG. 3 is a schematic diagram of a generation flow of the three sets ofdata codes;

FIG. 4 is a schematic diagram of an authentication flow of the threesets of data codes;

FIG. 5 is a schematic diagram of a comparison flow of the three sets ofdata codes;

FIG. 6 is a schematic diagram of a data flow of the three sets of datacodes;

FIG. 7 is a schematic diagram of program fragmentation;

FIG. 8 is a schematic diagram of an authentication unit; and

FIG. 9 is a schematic diagram of a detailed system architecture.

DETAILED DESCRIPTION OF THE INVENTION

The present invention is further described in detail with reference tothe accompanying drawings and implementation methods.

A system architecture, as shown in FIG. 1, mainly consists of theInternet jointly formed by lots of elements such as a user, a visitorand a network platform, a program fragmentation unit and anauthentication unit. The whole flow is basically as follows: at first,three sets of data codes are generated through the authentication unit,the data codes are used as new IP addresses, and the visitor can knowthe three sets of data codes. When the visitor accesses the user, it isnecessary to transmit information containing the new IP addresses of theuser to the program fragmentation unit, the program fragmentation unitperforms program fragmentation processing on the data and divides thedata into three sets of data codes, an authentication centerauthenticates authenticity of the three sets of data codes, and if theauthentication is passed, the information is transmitted, and otherwise,transmission is abandoned.

The present invention, on the basis of user EAN13 coding, increases aserial number coding and an authentication code. The EAN13 coding is auniversal manner of uniquely identifying a product worldwide, while theIP address is an address in a TCP/IP network used to uniquely identifyeach host or device, and both correspond to each other. The serialnumber coding uniquely identifies the second set of codes and is anordered expansion for IPV4, and the IP address is expanded from 2³² to2⁶⁴ and meets the technical difficulty that the current IP address isnot enough. The authentication code is encrypted and generated by theEAN13 coding and the serial number coding through a commercial passwordalgorithm. After the authentication code is obtained through encryptionof the password algorithm, the EAN13 coding and the serial number codingcan be obtained through decryption of the commercial password algorithm,achieving the aim of authentication. The three sets of data codes canuniquely identify the IP address of the user worldwide, the probabilitythat the three sets of data codes of the user are guessed is one overten trillion, and thus the error at which the three sets of data codesidentify the user one over ten trillion.

IPV4 addresses have been completely assigned all over the world, andeach IPV4 address includes two parts: a network address and a hostaddress. Each networked computer has no right to set an IP address onits own, there is a unified institution responsible for assigning aunique network address to an organization that makes an application, theorganization can assign a unique host address to each host in itsnetwork, and uniqueness of the network address and uniqueness of thehost address in the network ensure global uniqueness of the IPV4address.

I. User EAN13 Coding

China is currently a member of FAN (European Article Number), which ismanaged by the Coding Promotion Committee, and manufacturers can file anapplication for use. EAN13 coding is divided into 13 codes and 8 codes,13 codes are applied to general products, while 8 codes are applied toproducts with a smaller volume.

1. EAN13 Code Coding Principle

Positions 1-3 are country code;

Positions 4-7 are vendor code:

Positions 8-12 are product code; and

Position 13 is check code.

The first three bits are internationally uniformly assigned, is 690-695in China.

If the coding starts with 690 or 691, Positions 4-7 are vendor code, andPositions 8-12 are product code,

if the coding starts with 692-695, Positions 4-8 are vendor code, andPositions 9-12 are product code, and

the final position is check code.

2. Book-Based EAN13 Coding

Positions 1-3 are book code;

Positions 4-12 are first 9 bits of the original ISBN code; and

Position 13 is check code.

3. Periodical-Based EAN13 Coding

Positions 1-3 are periodical code;

Positions 4-10 are first 7 bits of the original IASN code;

Positions 11-12 are year code; and

Position 13 is check code.

4. Relationship Between EAN8 Coding and EAN13 Coding

1) EAN8 Code Coding Principle:

Positions 1-3 are country code;

Positions 4-7 are vendor code; and

Position 8 is check code.

2) Convert EAN8 Code to EAN13

Reserve: Positions 1-3 are country code;

Positions 4-7 are vendor code;

Increase: Positions 8-12 are 00000; and

Position 13 is EAN13 check code.

II. Serial Number Coding

1. When the number of the second set of codes generated on is notgreater than 100,000,

Positions 1-4 are 4-bit year code (e.g., 2007);

Positions 5-6 are 2-bit month code (e.g., 11);

Positions 7-8 are 2-bit date code (e.g., 21); and

Positions 9-13 are 5-bit serial number code (e.g., 00000-99999).

2. When the Yield on the Date is Riot Greater Than One Million,

Positions 1-3 are 3-bit year code (e.g., 2007 is represented with 007);

Positions 4-5 are 2-bit month code (e.g., 11);

Positions 6-7 are 2-bit date code (e.g., 21); and

Positions 8-13 are 6-bit serial number code (e.g., 000000-999999).

3. When the Yield on the Date is Not Greater Than 10 Million,

Positions 1-2 are 2-bit year code (e.g., 2007 is represented with 07);

Positions 3-4 are 2-bit month code (e.g., 11);

Positions 5-6 are 2-bit date code (e.g., 21); and

Positions 7-13 are 7-bit serial number code (e.g., 0000000-9999999).

III. Authentication Code

The authentication code is a 13-bit decimal number generated byencrypting the first set of EAN13 codes and the second set of serialnumber codes through the commercial password algorithm, and is uniqueand random.

The three sets of data are divided into lower, middle and upper rows,and three sets of data codes uniquely identify one user worldwide, andauthenticity can be authenticated through encryption and decryption ofthe commercial password algorithm, achieving the aim of identifying andprotecting network information security.

0-9 numbers are used as data carriers of the three sets of data codes,and the three sets of data codes are divided into three lines andstored, used for identifying and authenticating network IP.

IV. The Three Sets of Data Codes Made According to the Above Steps Havethe Following Advantages:

The three sets of data codes are formed by two sets of plaintext and oneset of ciphertext, safe reliability of the three sets of data codes isestablished on the basis of confidentiality of the password algorithmand a secret key, and thus making the ciphertext public will not affectsecurity of the password algorithm. The possibility of decoding thepassword algorithm is deemed to be non-existent.

The three sets of data codes are formed by 39-bit decimal numbers, thevariation is 10³⁹, and this ensures that the three sets of data codes ofall users are unique; the three sets of data codes are formed by threesets of 13-bit decimal numbers, wherein the first set and the second setare plaintexts, and the third set is authentication code, that is,ciphertext. Therefore, the probability that the three sets of data codesof the user are guessed is one over ten trillion, evidently, this is asmall probability event, and even if the guess is successfully, it willnot threaten three sets of data codes of other users.

V. Application of the Three Sets of Data Codes

The three sets of data codes become reality for third-partyauthentication; the authentication unit owns a password algorithm and akey, the user owns three sets of data codes, and the visitor can knowthe three sets of data codes. The visitor transmits informationcontaining the three sets of data codes of the user to theauthentication unit, authenticity is verified through the authenticationunit, if authentication is passed, the information is transmitted, andotherwise, the information is abandoned. The authentication unitmonitors an IP of a sender in real time, and if a certain IPcontinuously sends three sets of data codes in great quantity, even ifauthentication is passed, the authentication unit will also shield theIP to block transmission of the information.

It is feasible to read three sets of data codes through a network, a POSsystem, a mobile phone and many other manners, the operation is simple,and the use is convenient and quick. The three sets of data codes have asmall volume (3 cm*3 cm), great information quantity (10³⁹), and arevisible.

1. Confidentiality of the three sets of data codes is as follows: thereis plaintext as well as ciphertext, and the probability of being guessedis one over ten trillion. One basic principle of information privacy isthat making details of an algorithm public will not fundamentally affectsecurity of the algorithm, that is, privacy relies on the key, and inthe solution, even if the ciphertext is disclosed, security of the threesets of data codes will not be affected.

2. The three sets of data codes are applied to user's networkinformation security management, and provide a digital platform in linewith the international standard for the user's digital management overnetwork information. The three sets of data codes and users one-to-onecorrespond, the authentication unit helps the user to filter maliciousattacks and error information, thus ensuring normal access to userwebsites and the e-mail processing speed and increasing security andtimeliness of processing network information by users.

VI. Establishment of a System of Three Sets of Data Codes RequiresEstablishing a Computer Authentication Unit and a Reading System ofThree Sets of Data Codes.

The computer authentication unit has encryption, decryption, encoding,decoding, network transmission, data query, data comparison and otherfunctions, and is provided with an EAN13 code database, an IPV4 addressdatabase, a database of three sets of data codes, a commercial passworddatabase and the like, wherein the commercial password database is usedfor managing the key and the commercial password algorithm, ensuringsecurity of the key and the algorithm.

The authentication unit collects the user's EAN13 coded data and serialnumber coded data and initializes the database. Data of the database isencrypted through the commercial password algorithm, and a 13-bitdecimal-number product authentication code is generated and stored inthe corresponding database of three sets of data codes. The three setsof data are stored in an order of upper, middle and lower, that is,“three sets of data codes”. Each user uses one of the three sets of datacodes for authentication, and the visitor uses a code-reading device toread the user's three sets of data codes, which are transmitted to theauthentication unit via the network. The authentication unit decodes thethree sets of data codes, converts them into three sets of 13-bitdecimal data, decrypts them with the commercial password algorithm,verifies validity of the three sets of data codes, if yes, generatesEAN13 code and serial number code. Then compare the EAN13 code and theserial number code with the EAN13 code and the serial number code in theinitial database, if comparison is passed, verification passed, theinformation is transmitted, and otherwise, the information is abandoned.

The reading system of three sets of data codes provides the visitor withmultiple reading manners, and the visitor transmits the three sets ofdata codes to the authentication unit, judges whether the EAN13 code islegal, and judges whether the serial number code is legal; then judgeswhether the combination of the EAN13 code and the serial number islegal; and finally judges whether the authentication code is legal. Ifno, transmission is abandoned, and if yes, the information is directlytransmitted.

The three sets of data codes are used for protecting network informationsecurity, and may be divided into:

1. Apply for a password algorithm

A required commercial password algorithm, for example, a hash algorithmor a random number generation algorithm, is approved according to theprovisions of Regulations on the Commercial Passwords.

2. The schematic diagrams of the three sets of data codes and EAN13codes, as shown in FIG. 2:

The three sets of data codes consist of the user's EAN13 code, a serialnumber code and an authentication code, and consist of three sets (anupper set, a middle set and a lower set) of codes.

3. Generation of the three sets of data codes, as shown in FIG. 3:

(1) Initialization: the authentication unit collects the user's EAN13code and the serial number code, and initializes the database.

(2) Encryption: data of the database is encrypted through the commercialpassword algorithm, and a 13-bit decimal-number authentication code isgenerated and stored in the corresponding database.

(3) Encoding: the user's EAN13 code, the serial number code and theauthentication code are divided into three sets of 13-bit decimalnumbers, and stored in the database of three sets of data codes.

4. Identification of the three sets of data codes, as shown in FIG. 4:

(1) Code-reading: the visitor uses a code-reading device to read theuser's three sets of data codes, which are transmitted to theauthentication unit via the network.

(2) Decoding: the authentication unit decodes the three sets of datacodes, and converts them into three sets of 13-bit decimal numbers. Theauthentication code is stored in the password database.

(3) Decryption: the authentication unit decrypts the authentication codewith the commercial password algorithm, and generates two sets of 13-bitdecimal numbers, that is, digital authentication plain code.

5. Comparison of the three sets of data codes, as shown in FIG. 5:

(1) The authentication unit compares the digital authentication plaincode with the EAN13 code and the serial number code of the product inthe initial database.

(2) A comparison result is fed back, if they are identical, theverification is passed and the information is transmitted, and if theyare not identical, transmission is abandoned.

6. A data flow of the three sets of data codes, as shown in FIG. 6:

(1) An authentication unit is established, and the center hasencryption, decryption, encoding, decoding, network transmission, dataquery, data comparison and other functions.

(2) The authentication unit collects the user's EAN13 code and serialnumber code which are two sets of 13-bit decimal data, and generates aset of 13-bit decimal data through encryption, and the three sets ofdata are stored in the database of three sets of data codes, used fornetwork addressing. The visitor reads decimal data of three sets of datacodes, or reads EAN13 coded data of the three sets of data codes, thedata is transmitted to the authentication unit, and the authenticationcode is decrypted to generate two sets of decimal data of the user'sEAN13 code and serial number code, which are stored into a digitalauthentication plain code database. The digital authentication plaincode database is compared with the initialized database, to determineaccording to the result whether to transmit the information.

7. Program fragmentation, as shown in FIG. 7:

(1) The visitor transmits information containing the user's new IPaddress to CN39-313.

(2) CN39-313 performs program fragmentation processing on the data, anddivides the data into 3 segments, each segment being a 13-bit decimalnumber, that is, 52-bit.

8. The authentication unit, as shown in FIG. 8:

(1) The authentication unit performs decryption computations on thethree sets of data.

(2) If the computation result is “0”, the information is transmitted,and if the computation result is “1”, transmission is abandoned.

9. The system architecture, as shown in FIG. 9:

The system architecture shown in FIG. 9 is a detailed schematic diagram,which mainly consists of an authentication center, a manufacturer, abank, a network platform, a logistics enterprise, consumers and manyother elements, and the operation flow of the whole system is basicallyas follows: at first, three sets of data codes are generated through theauthentication center on the fell side of FIG. 9 and then are sent toeach manufacturer in a physics isolation manner, upon receipt, themanufacturer labels the three sets of data codes onto the correspondingproducts through a labeling device on the production line, which arecirculated through the logistics enterprise, when the consumers get theproducts, they can query the three sets of data codes on the productsthrough smartphones or smart terminal devices, and the queriedinformation category includes basic production information, raw materialinformation, inspection and quarantine information, base information andother upward “traceability information” of the products, and alsoincludes downward “trace information” starting from packaging andleaving the factory to all levels of logistics distribution, merchantsales and consumers' purchasing products and even switch operation untilloss of the products.

A data flow of a food safety cloud service platform is: authenticationcenter (data generation)→vendor (data receiving and corresponding to asingle product)→logistics enterprise (data flow)→consumer (querydata)→authentication center (data authentication, the data passes theauthentication if the computation result is “0”, and a query request isforwarded to the vendor)→vendor (which receives the query request andmakes feedback). During this, when the consumer queries the product inhands, the data has to go back to the authentication center toauthenticate whether three sets of data codes on the product exist ornot and whether the data codes are correct and legal, the authenticationis passed only when the three sets of data on the identification arezeroed out, and then the corresponding vendor database is addressed tocall out corresponding product information which is sent to a queryterminal of the consumer for display.

A system architectural diagram of a method for guaranteeing networkinformation security is made on the basis of the system architecturaldiagram shown in FIG. 9, the system architectural diagram is differentin that it mainly consists of an authentication center, a user, anetwork platform, a visitor and the like, and the whole operation flowis basically as follows: at first, three sets of data codes aregenerated and stored through the authentication unit on the left side ofthe figure and are used as the users' new IP address, and the visitorcan know the three sets of data codes. When the visitor accesses theuser, the visitor needs to transmit to the authentication unitinformation containing the three sets of data codes of the user,authenticity is verified through the authentication unit, if theverification is passed, the information is transmitted, and otherwise,transmission is abandoned.

A corresponding data flow chart is: authentication unit (which generatesdata)→user (who is assigned with a new IP address)→visitor (who readsthe new IP address)→authentication unit (which authenticates andtransmits, decrypts the three sets of data, transmits the information ifthe computation result is “0”, and abandons transmission if thecomputation result is “1”)→user (who makes corresponding feedbackaccording to the information content). In this process, when the visitoraccesses the user, the visitor needs to first transmit informationcontaining the three sets of data codes of the user to theauthentication unit, and after authentication is zeroed out, theauthentication unit will further send the information to the user.

What is claimed is:
 1. A system method for guaranteeing network information security, herein the method comprises: (1) acquiring a first set and a second set of 13-bit decimal data to be processed by a computer; (2) the computer judging whether the first set of data is in line with an internationally agreed EAN13 coding principle, if yes, the background making the data correspond to an IPV4 address of a user, and if no, prompting an error; (3) the computer judging whether the second set of data is in line with a serial number coding principle, if yes, performing the next step, and if no, prompting an error; (4) the computer encrypting the first set of data in line with the EAN13 coding principle and the second set of data in line with the serial number coding principle through a commercial password algorithm, to generate a 13-bit decimal authentication code, that is, the third set of data; (5) the computer dividing the first set of data, the second set of data and the third set of data into three lines, that is, three sets of data codes are obtained, and using them as new IP addresses of the user; (6) a visitor transmitting information containing the new IP addresses of the user to a program fragmentation processing unit of a computer system, that is, CN39-313 which performs program fragmentation processing on the data and divides the data into three segments, each segment being a 13-bit decimal number, that is, 52-bit binary number; (7) the computer transmitting the three sets of data to an authentication center which decrypts the three sets of data, if a computation result is “0”, transmitting information to a target user, that is, an interviewee, after encryption of the three sets of data, and if the computation result is “1”, abandoning transmission; and (8) the computer storing three sets of data codes divided into three lines, used for network addressing.
 2. The system method for guaranteeing network information security according to claim 1, wherein the coding principle of the second set of data, that is, the serial number coding principle, is that positions 1-4 are 4-hit year codes, positions 5-6 are 2-bit month codes, positions 7-8 are 2-bit date codes, and positions 9-13 are 5-bit serial number codes of the date.
 3. The system method for guaranteeing network information security according to claim 1, wherein, after the authentication code is obtained, the authentication code is decrypted through the commercial password algorithm, and the first set and the second set of 13-bit decimal data can be obtained.
 4. The system method for guaranteeing network information security according to claim 1, wherein the computer divides the first set of data, the second set of data and the third set of data into three lines and then stores the data in a manner of storing the first set of data, the second set of data and the third set of data in three lines.
 5. The system method for guaranteeing network information security according to claim 4, wherein, in product logo printing, the computer divides the first set of data, the second set of data and the third set of data into three lines and then stores the data in a manner of storing and printing the first set of data, the second set of data and the third set of data in three lines, a lower line, an upper line and a middle line. 